CAを立ててx.509証明書作成まで

# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate …
Generating a 2048 bit RSA private key
……………………..+++
………………………..+++
writing new private key to ‘/etc/pki/CA/private/./cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Bunkyo-ku]:
Organization Name (eg, company) [waw-project]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [kerukeru_server]:
Email Addressei [your@mail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b1:9f:c3:35:c5:88:99:30
Validity
Not Before: Jun 9 01:04:29 2012 GMT
Not After : Jun 9 01:04:29 2015 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = waw-project
commonName = kerukeru_server
emailAddress = your@mail.com
X509v3 extensions:
X509v3 Subject Key Identifier:
AF:58:3B:8F:30:C8:97:61:C3:00:E9:84:ED:AB:9B:09:42:B7:CD:23
X509v3 Authority Key Identifier:
keyid:AF:58:3B:8F:30:C8:97:61:C3:00:E9:84:ED:AB:9B:09:42:B7:CD:23

X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jun 9 01:04:29 2015 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
……….++++++
…………………….++++++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:

#中身の確認
#openssl rsa -in server.key -text

#パスフレーズの削除
# openssl rsa -in server.key -out server.key

Enter pass phrase for server.key: パスフレーズ
writing RSA key

# X.509証明書要求の作成
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
……….++++++
…………………….++++++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:
[root@kerukeru_server ~]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
[root@kerukeru_server ~]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Tokyo]:
Locality Name (eg, city) [Bunkyo-ku]:
Organization Name (eg, company) [waw-project]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) [kerukeru_server]:
Email Addressei [your@mail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# X.509証明書の作成
# openssl ca -in server.csr -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b1:9f:c3:35:c5:88:99:31
Validity
Not Before: Jun 9 01:12:01 2012 GMT
Not After : Jun 7 01:12:01 2022 GMT
Subject:
countryName = JP
stateOrProvinceName = Tokyo
organizationName = waw-project
commonName = kerukeru_server
emailAddress = your@mail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
82:23:57:8D:55:3A:CB:35:BF:7C:1D:59:86:14:A6:80:F3:69:5D:C4
X509v3 Authority Key Identifier:
keyid:AF:58:3B:8F:30:C8:97:61:C3:00:E9:84:ED:AB:9B:09:42:B7:CD:23

Certificate is to be certified until Jun 7 01:12:01 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# エラーが出る場合 indexファイルを削除して作成しなおす
failed to update database
TXT_DB error number 2
# rm /etc/pki/CA/index.*
# touch /etc/pki/CA/index.txt

証明書の検証
# openssl verify -CAfile /etc/pki/CA/cacert.pem server.crt
server.crt: OK

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

次のHTML タグと属性が使えます: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>